Introduction
Despite the regulation of direct marketing under both the Protection of Personal Information Act 4 of 2013 (“POPIA”) and the Consumer Protection Act 68 of 2008 (“CPA”), South African consumers are bombarded by direct marketing calls, emails, WhatsApps and SMSs on a daily basis.
In 2024, two separate regulatory bodies focussed on the regulation and enforcement of the lawful processing of personal information for the purpose of direct marketing. On 28 October 2024, the Minister of the Department of Trade, Industry and Competition (“DTIC”) published draft amendments to the CPA Regulations (“Draft Amendments”) aimed at introducing a national government “opt-out registry” regulating direct marketing to consumers, and invited the public to provide feedback and comments. Furthermore, the Information Regulator published a Guidance Note on Direct Marketing (“Guidance Note”) on 04 December 2024, which aims to provide guidance to responsible parties regarding the lawful processing of personal information for direct marketing purposes in terms of the POPIA.
While the regulatory intervention is necessary and welcomed, there is an overlap between the regulation of direct marketing under the POPIA and the CPA, which renders the approach instituted by the different authorities somewhat confusing. This article considers the current legislative position, and the effect of the proposed Draft Amendments and the Guidance Note going forward.
Current legislative provision
The POPIA defines direct marketing as follows:
“to approach a data subject, either in person or by mail or electronic communication for the direct or indirect purpose of-
- Promoting or offering to supply, in the ordinary course of business, any goods or services to the data subject; or
- Requesting the data subject to make a donation of any kind for any reason”
Furthermore, electronic communication is defined as:
“any text, voice, sound or image message sent over an electronic communications network which is stored in the network or in the recipient’s terminal equipment until it is collected by the recipient.”
The definition of direct marketing in the CPA is almost identical to the definition in the POPIA. However, the definition of electronic communication differs in that it describes electronic communication as:
“communication by means of electronic transmission, including by telephone, fax, SMS, wireless computer access, email or any similar technology or device.”
On interpretation of the definition of electronic communication in terms of the POPIA, it is generally accepted that direct marketing by telephone is excluded from the ambit of the POPIA, and is rather regulated by the CPA, as warranted by its express inclusion in the definition of electronic communication under the CPA.
The regulation of direct marketing in terms of the POPIA and the CPA differs fundamentally. The CPA follows an “opt-out” approach to direct marketing, in that section 11(1)(b), read with section 11(2) of the CPA provides for the right of any person to request the discontinuation of any communication primarily instituted for the purpose of direct marketing. Section 11(3) of the CPA further provides for a registry whereby consumers are afforded the opportunity to opt-out of direct marketing before they are contacted, by registering a pre-emptive block against any communication that is primarily for the purpose of direct marketing.
In contrast, section 69 of the POPIA regulates direct marketing by means of unsolicited electronic communications by means of an “opt-in” approach. Sections 69(1)(a) and (b) of the POPIA stipulate that the processing of personal information of a data subject for the purpose of direct marketing by means of electronic communication is prohibited unless the data subject has given his or her consent and has therefore opted-in. Section 69(1)(3) of the POPIA provides an exception where the data subject is a customer of the responsible party and stipulates that a responsible party may only process the personal information of a customer under the following circumstances:
- if the responsible party has obtained the contact details of the data subject in the context of the sale of a product or service;
- for the purpose of direct marketing of the responsible party’s own similar products or services; and
- if the data subject has been given a reasonable opportunity to object, free of charge and in a manner free of unnecessary formality, to such use of his, her or its electronic details-
- at the time when the information was collected; and
- on the occasion of each communication with the data subject for the purpose of marketing if the data subject has not initially refused such use.
- Guidance Note on Direct Marketing
On 04 December 2024, the Information Regulator published a much-anticipated Guidance Note in an attempt to shed some light on the regulation of direct marketing in terms of the POPIA.
The purpose of the Guidance Note is to guide responsible parties on how to process personal information of data subjects for direct marketing purposes, in accordance with the POPIA. The Guide distinguishes between two types of direct marketing, namely direct marketing by means of electronic communication, and direct marketing by other means, such as post or hand-delivered mail, in-person direct marketing or letterbox drops distributed to an identified address in a specific area etc.
The Guidance Note addresses the application of section 69 of the POPIA in respect of direct marketing by means of unsolicited electronic communication. The Guide further provides that where direct marketing is communicated by non-electronic means, the responsible party may dispense with the requirement to obtain consent (opt-in) where the responsible party relies on section 11(1)(d) or (f) for the processing of personal information for the purpose of direct marketing on the basis of a lawful, legitimate interest of the data subject, the responsible party or third party (whichever is applicable). Notwithstanding, a data subject may still object to the processing of personal information in terms of section 11(1)(d) or (f) by lodging the objection in the prescribed form provided for in the Regulations to the POPIA. After objecting, the responsible party may not contact the data subject again.
The Guidance Note prescribes a three-stage Legitimate Interest Assessment that the responsible party must follow when relying on legitimate interest as a lawful basis for processing personal information for the purpose of direct marketing by means other than electronic communication.
The Guidance Note further discusses the application of the eight conditions for the lawful processing of personal information in respect of direct marketing and also provides general guidance regarding the sharing of personal information and automated decision making.
What is notable, however, is that the Guidance Note expressly includes telephonic communication as a form of electronic communication and identifies telemarketing as an example of direct marketing by means of electronic communication under the POPIA. The Information Regulator expressed its view that telephonic communication qualifies as a form of electronic communication, due to it becoming more and more digital over time and further explained that:-
“telephone calls predominantly use VoIP (Voice over Internet Protocol), which is packet-switched telephony rather than the public-switched telephony previously used for analogue communication. The analogue voice is encoded into a digital stream that is divided into small data packets which are labelled according to their order. These voice data packets are transmitted using real-time protocols during a telephone call, and are stored on the network. The voice data packets are re-assembled to match the original order of transmission, error correction is applied to digital data stream to compensate for the delay caused by packet re-assembly and finally relayed to the recipient’s terminal equipment to be decoded into analogue voice for consumption upon the recipient’s acceptance of the call.”
The Information Regulator’s justification for the inclusion of telephonic communications as a form of electronic communication seems to suggest that the requirement for electronic communication to be stored in the network or in the recipient’s terminal equipment until it is collected by the recipient, is therefore met.
This is a fundamental shift from the accepted legislative position thus far. It is important to note that the Guidance Note remains advisory in nature, and is not considered to be the law. The provisions of the POPIA and the Regulations will prevail over the Guidance Note should the Information Regulator’s interpretation result in an inconsistency with the Act going forward.
- DTIC proposed Draft Amendments to the CPA Regulations
The DTIC published proposed Draft Amendments to the CPA Regulations, with the aim of introducing a national government “opt-out registry”, as contemplated by section 11(3) of the CPA, and imposing additional requirements on direct marketers, to curb the intrusive marketing practices directed at South African consumers.
The opt-out registry, proposed to be regulated by the National Consumer Commission (“NCC”), would enable consumers to register a pre-emptive block to prevent responsible parties from processing their personal information for the purpose of marketing their goods or services.
The main focus of the proposed Draft Amendments is to amend Regulation 4(1)(b) to make provision for the registration of a pre-emptive block. Regulation 4(3)(b) is also proposed to be amended to provide that the registry must at all times, except in unforeseen technical interruptions, be accessible to all persons in the Republic for purposes of registering a pre-emptive block.
The proposed Draft Amendments introduce further sub-regulations to facilitate the effective operation of the opt-out registry, and to impose the obligations of the NCC, consumers and direct marketers. Consumers will be required to complete the prescribed form to register a pre-emptive block against the communication of direct marketers and must keep their registration information up to date. Direct marketers will be required to register as such on the registry before they are permitted to contact consumers for purposes of direct marketing, and will be required to renew their registration on an annual basis and to keep its information up to date. Direct marketers will also be required to review the opt-out registry before contacting consumers to ensure that a consumer has not registered a pre-emptive block, in which event the direct marketer will be obliged to remove such consumer’s details from its database, effectively conducting a process of “cleansing” as contemplated by the proposed Draft Amendments. When marketing to consumers, direct marketers should ensure that its electronic communications are clearly identifiable. In facilitating this process and operating the registry, the NCC will receive extensive personal information and will be required to impose stringent security measures for the lawful processing of the personal information of consumers.
The DTIC invited the public to submit written comments on the Draft Regulations within 45 days from 28 October 2024. The proposed amendments are not yet in force.
- The impact of the proposed Draft Amendments on the POPIA and the Information Regulator’s Guidance Note
As more fully set out hereinabove, the regulation of direct marketing by electronic communication in terms of the POPIA and the CPA differs fundamentally. The POPIA prescribes an opt-in approach, with the exception of data subjects that are existing customers of the responsible party in terms of section 69(1)(3) of the POPIA, while the CPA prescribes an opt-out approach, and further provides for the pre-emptive opt-out registry. The requirements placed on direct marketers are further complicated by the overlap between direct marketing by electronic communication regulated under the POPIA and the CPA, respectively, for the following reasons:-
- The Information Regulator has expressly included direct marketing by telephone as direct marketing by electronic communication regulated under section 69 of the POPIA, which was previously considered to be regulated under the CPA alone;
- The proposed Draft Amendments, will not only affect direct marketing in terms of the CPA, but will also affect direct marketing currently regulated under the POPIA.
The Information Regulator’s Guidance Note briefly addressed the interaction between the POPIA and the opt-out registry contemplated by section 11 of the CPA, in respect of direct marketing by electronic communication. It confirmed that the POPIA requires that responsible parties must in terms of section 69(1)(a) of the POPIA obtain consent for direct marketing. Section 69(2)(a) of the POPIA requires the responsible party to contact the data subject only once in order to obtain such consent, provided that the data subject has not previously withheld such consent. It advised that:-
“a responsible party cannot therefore contact a data subject, who has not registered a pre-emptive block (…), without having first obtained their consent. In other words, even if a data subject has not registered a pre-emptive block, a responsible party must still comply with the requirements in sections 69(1) and (2) of the POPIA before sending a data subject direct marketing messages through unsolicited electronic communication. A responsible party cannot therefore contact a data subject for purposes of direct marketing simply because they (data subject) have not registered a pre-emptive block.”
This seems to suggest that the Information Regulator proposes the application of both the CPA and the POPIA on direct marketers in respect of direct marketing by electronic communication, in the event that both acts apply.
Direct marketers should therefore firstly establish which Act finds application in respect of its marketing practices, taking into account that the Information Regulator also regards telemarketing to be electronic communication under the POPIA.
Secondly, direct marketers will be required to ascertain whether consumers have registered a pre-emptive block on the opt-out registry. In the event that a consumer has not registered a pre-emptive block, the direct marketer would still be required to comply with sections 69 (1) and (2) of the POPIA in order to obtain consent from the consumer for its direct marketing practices.
Finally, where consent has been obtained, such consent remains subject to the consumer’s right to object to the processing of its personal information for direct marketing purposes in the future. In the event that the POPIA does not find application, the opt-out approach in terms of section 11(1)(b), read with section 11(2) of the CPA would allow for a consumer to request the discontinuation of any communication primarily instituted for the purpose of direct marketing.
- Conclusion
Both the Guidance Note and the proposed Draft Amendments to the CPA Regulations suggest that the reins on direct marketing will be tightened significantly going forward. However, compliance with the POPIA and the CPA remains a minefield of opt-in and opt-out requirements, which necessitates direct marketers to critically assess its direct marketing practices and legislative compliance. It remains to be seen how the regulation of direct marketing will be enforced concurrently by the Information Regulator and the NCC in the future once the proposed Draft Amendments come into force.
Written by Allison van der Walt and Jessica van Zyl
